WebAssembly Intermediate 12 min read

WASM for IoT Firmware Updates: Secure Field-Updateable Device Functionality

wasm iot-security firmware-updates embedded ota-updates

WASM for IoT Firmware Updates: Secure Field-Updateable Device Functionality

The Problem

Traditional IoT firmware updates replace the entire executable image on a device. A temperature sensor running a 512KB firmware binary must download, verify, write, and reboot into a complete new image whenever business logic changes — even if the change is two lines of threshold logic in a single function. The blast radius of a failed update is total: a bad write bricks the device. The attack surface is maximized: any compromise of the OTA server or signing key affects every device that polls it. Physical recovery in the field costs more than the device.

The alternative is shipping logic as a WASM module rather than a full firmware image. The firmware itself — bootloader, RTOS, hardware drivers, WASM runtime — changes infrequently. Application logic arrives as a signed .wasm file over OTA, loaded by the runtime, and executed inside a sandbox that cannot access memory outside its own linear memory region. A logic change is a WASM-payload swap: a few kilobytes, not hundreds. A failed update is a module rollback, not a device reflash.

By 2026 this pattern is in production across industrial, automotive, and consumer IoT:

  • Wasm3 — a stack-based interpreter written in C, running on Cortex-M3/M4 with as little as 64KB RAM and no MMU requirement. Wasm3 interprets the WASM bytecode directly; no JIT compilation, no code-gen dependencies.
  • WAMR (WebAssembly Micro Runtime) — the Bytecode Alliance’s embedded runtime with a tunable footprint from ~50KB (interpreter only) to ~200KB (AOT compiler enabled). WAMR targets embedded Linux on Cortex-A class SoCs and has been adopted by projects across automotive and smart appliance verticals.
  • wasmEdge — a CNCF-graduated runtime suited for gateway-class devices with 64MB+ RAM, full WASI support, and a socket API for network-connected edge nodes.

The security gaps in a default deployment of this pattern are consistent across teams: WASM artifacts pulled over HTTP without signature verification; runtime memory limits left at defaults; rollback not implemented because “we haven’t had a bad update yet”; capability grants mirrored from a Linux process model rather than designed for the module. This article fixes each of those gaps.

Why WASM Instead of a Full Firmware Image

The core security argument for WASM-based IoT updates rests on four properties that full firmware updates cannot match.

Isolation by construction. A WASM module runs in a sandbox where every memory access is validated against the module’s linear memory bounds before execution. A buffer overflow in application logic cannot corrupt the RTOS heap, overwrite the bootloader, or reach device driver memory. The firmware is not rewritten; only the module’s isolated region is active. Contrast this with a firmware image update, where a memory corruption bug in the new firmware image executes with full hardware access on the next boot.

Reversibility without hardware. Swapping a WASM module is a file operation. The previous module is retained on the device. Rollback means activating the old file — no flash erase cycle, no device downtime beyond a runtime restart. Full firmware rollback requires an A/B partition scheme, a bootloader that understands partition health, and 2x flash capacity reserved for the inactive slot. WASM A/B applies only to a small application-logic file.

Smaller update payloads. A Rust function compiled to WASM for a sensor-processing task might be 40KB. The equivalent firmware image for the same Cortex-M4 includes the entire RTOS, all driver code, and the WASM runtime — typically 256KB to 1MB. Smaller payloads reduce the window in which an interrupted OTA transfer leaves a device in an inconsistent state.

Memory-safe language support. Rust and other memory-safe languages compile to WASM. Teams building IoT application logic in Rust get compile-time memory safety guarantees, and those guarantees are not undermined by linking against C device-driver code — the Rust WASM module is isolated from that code by the sandbox boundary. C firmware upgrades bring the same memory-unsafety risks with them into the device regardless of update method.

Wasm3 for Microcontrollers

Wasm3 is the practical choice for microcontrollers with under 1MB RAM. Its interpreter model avoids JIT compilation entirely, which matters on Cortex-M devices that enforce an XN (execute-never) policy on RAM — JIT-generated code in RAM would fault on those targets.

Wasm3 exposes a minimal C API for embedding:

// Minimal Wasm3 embed on a Cortex-M4 target.
#include "wasm3.h"
#include "m3_env.h"

#define WASM_STACK_SIZE   (64 * 1024)  // 64KB interpreter stack
#define WASM_MEMORY_SIZE  (128 * 1024) // 128KB WASM linear memory limit

static uint8_t wasm_stack[WASM_STACK_SIZE];

M3Result load_and_run(const uint8_t *module_bytes, size_t module_len) {
    IM3Environment env = m3_NewEnvironment();
    if (!env) return "OOM: environment";

    IM3Runtime runtime = m3_NewRuntime(env, WASM_STACK_SIZE, NULL);
    if (!runtime) return "OOM: runtime";

    // Enforce memory limit before module execution begins.
    runtime->memoryLimit = WASM_MEMORY_SIZE;

    IM3Module module;
    M3Result result = m3_ParseModule(env, &module, module_bytes, module_len);
    if (result) return result;

    result = m3_LoadModule(runtime, module);
    if (result) return result;

    // Link host functions (device peripherals, sensors).
    result = m3_LinkFunction(runtime, "env", "gpio_read",
                             "i(i)", &host_gpio_read);
    if (result) return result;

    IM3Function fn;
    result = m3_FindFunction(&fn, runtime, "sensor_tick");
    if (result) return result;

    return m3_CallV(fn);
}

The runtime->memoryLimit assignment is the critical resource-constraint line. Without it, a WASM module that requests memory.grow to its binary’s declared maximum can exhaust the microcontroller’s RAM and starve the RTOS. Set this to a value derived from the device’s memory map — whatever remains after RTOS, driver, and network stack allocations.

WAMR on Embedded Linux

WAMR targets the MPU and gateway tier (Cortex-A53, Cortex-A72, i.MX8) where embedded Linux runs and memory budgets are measured in megabytes rather than kilobytes. WAMR supports both its own interpreter and AOT compilation via wamrc, which pre-compiles the WASM binary to native code offline and ships the .aot file to the device. AOT mode eliminates runtime compilation overhead, reduces binary size compared to JIT runtimes, and is safe on XN-capable devices because the AOT output is a static file loaded into an executable code region.

# On the build server: compile a WASM module to WAMR AOT for ARM Cortex-A53.
wamrc --target=aarch64 \
      --target-abi=gnu \
      --cpu=cortex-a53 \
      --opt-level=3 \
      -o sensor-app.aot \
      sensor-app.wasm

# Sign the AOT binary before distribution.
openssl dgst -sha256 -sign signing-key.pem \
    -out sensor-app.aot.sig sensor-app.aot

# On the device: verify and load.
openssl dgst -sha256 -verify signing-pubkey.pem \
    -signature sensor-app.aot.sig sensor-app.aot \
  && iwasm sensor-app.aot

WAMR’s iwasm command-line host accepts --max-heap-size and --stack-size flags that map directly to the device’s available memory budget. In a production embed these are set in the C host rather than on the command line:

RuntimeInitArgs init_args = {0};
init_args.mem_alloc_type = Alloc_With_Pool;
init_args.mem_alloc_option.pool.heap_buf   = global_heap;
init_args.mem_alloc_option.pool.heap_size  = DEVICE_HEAP_SIZE;
wasm_runtime_full_init(&init_args);

Providing a pre-allocated pool for WAMR’s heap prevents malloc from competing with the RTOS allocator and makes peak memory usage deterministic — important for devices with hard real-time constraints.

Signing WASM Modules for IoT

Code signing for IoT WASM modules has different requirements from web or cloud signing:

  • Compact signatures. Ed25519 signatures are 64 bytes. RSA-2048 signatures are 256 bytes. On constrained devices verifying signatures from flash, the verification time and storage overhead of Ed25519 are significantly lower. Use Ed25519.
  • No OCSP/CRL online check. IoT devices may be offline or on restricted networks. The signing scheme must work with a pre-loaded public key, not an online certificate status protocol.
  • Per-fleet signing keys. Sign modules with a key that is scoped to a device fleet or model family. A key compromise in one fleet does not invalidate modules for other fleets.

A minimal signing workflow using openssl and Ed25519:

# Key generation (run once, store private key offline or in HSM).
openssl genpkey -algorithm ed25519 -out fleet-A-signing.pem
openssl pkey -in fleet-A-signing.pem -pubout -out fleet-A-verify.pem

# Sign the WASM module.
openssl pkeyutl -sign \
    -inkey fleet-A-signing.pem \
    -in sensor-app.wasm \
    -out sensor-app.wasm.sig

# Device-side verification (embedded C using a libsodium or tweetNaCl binding).
# Public key provisioned to device at manufacture; never leaves device flash.
if crypto_sign_verify_detached(sig, module_bytes, module_len, fleet_pubkey) != 0:
    reject_update()
    rollback_to_previous()

The public key is provisioned to the device at manufacture and stored in a region of flash that is write-protected by the bootloader after the first boot. It cannot be updated over OTA without a signed key-rotation command — preventing an attacker who controls the OTA channel from substituting their own public key.

For fleets with TPM 2.0 or a hardware secure element (Microchip ATECC608B, NXP SE050), the Ed25519 public key is sealed in the secure element and verification is offloaded to hardware, preventing a soft-fault attack from extracting the public key from flash.

Secure OTA Distribution for WASM Modules

The OTA pipeline has three security requirements: confidentiality in transit, integrity of the module, and authenticity of the update source.

TLS for transport. All OTA downloads use TLS 1.3. The device validates the server certificate against a trust anchor provisioned at manufacture — not the host OS certificate store, which may be empty or stale on embedded Linux devices. Pin the OTA server’s certificate or intermediate CA.

// mbedTLS configuration for OTA download client.
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&conf, &ca_cert, NULL);
// Set minimum TLS version to 1.3.
mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);

Module signature verification before loading. Download the WASM binary and its detached Ed25519 signature file. Verify the signature before writing the module to the active update slot. If signature verification fails, discard both files and log the failure with the module hash and server address.

A/B slot layout. The device maintains two module slots in flash:

Flash layout (example for 4MB application flash):
  [0x0000 - 0x00FF]  Bootloader + key store (write-protected)
  [0x0100 - 0x07FF]  RTOS + driver firmware (updated infrequently)
  [0x0800 - 0x0BFF]  WASM module slot A (currently active)
  [0x0C00 - 0x0FFF]  WASM module slot B (staging / rollback)
  [0x1000 - 0x10FF]  Slot flags (active slot, trial-boot state, boot count)

An update writes to the inactive slot. The slot flags are updated to mark the new slot as pending a trial boot. Only after the module passes its startup health check are the flags updated to mark the slot as committed.

Rollback Mechanisms

A WASM module that traps (invalid memory access, division by zero, integer overflow, unreachable instruction) terminates at that instruction. The runtime catches the trap and returns an error to the host. The host must track trap frequency and trigger rollback automatically.

// Host-side trap and crash tracking.
#define MAX_TRAPS_BEFORE_ROLLBACK 3
#define TRAP_WINDOW_SECONDS       300  // 5-minute window

static uint32_t trap_count = 0;
static uint32_t trap_window_start = 0;

void on_module_trap(const char *trap_reason) {
    uint32_t now = rtc_get_seconds();

    if (now - trap_window_start > TRAP_WINDOW_SECONDS) {
        // Window expired — reset counter.
        trap_count = 0;
        trap_window_start = now;
    }

    trap_count++;
    log_event("WASM_TRAP", trap_reason, trap_count);

    if (trap_count >= MAX_TRAPS_BEFORE_ROLLBACK) {
        log_event("ROLLBACK_TRIGGERED", "trap_threshold_exceeded", 0);
        activate_previous_slot();
        device_reboot();
    }
}

Rollback activates the previous slot by writing to the slot flags region and rebooting. On the next boot the runtime loads the previous module. The failed module is retained in the inactive slot for post-mortem analysis — downloadable by the management plane via a diagnostic channel.

For the trial-boot pattern, the boot count is decremented on each startup and incremented when the module reports healthy. A module that crashes before reporting healthy leaves the boot count at zero, and the bootloader activates the previous slot on the next restart.

Epoch Interruption Instead of Fuel Metering

Fuel metering — decrementing a counter on each WASM instruction and aborting when it reaches zero — is the conventional way to prevent infinite loops. On microcontrollers, the per-instruction counter decrement adds measurable overhead: in Wasm3 and WAMR, fuel metering increases execution time by 15–30% depending on the workload.

For IoT sensor loops that run on a fixed schedule, epoch interruption is the right alternative. The host increments an epoch counter on a hardware timer interrupt. The WASM runtime checks the epoch counter at backward-branch points (loops). If the epoch has advanced, the module traps with an interrupt error.

// Wasmtime epoch interruption (for gateway-class devices running Wasmtime).
wasmtime_config_t *cfg = wasmtime_config_new();
wasmtime_config_epoch_interruption_set(cfg, true);

wasmtime_engine_t *engine = wasmtime_engine_new_with_config(cfg);

// On the timer interrupt (10ms tick):
void TIMER_IRQHandler(void) {
    wasmtime_engine_increment_epoch(engine);
}

// Store configuration: trap after 1 epoch tick (10ms) without a checkpoint.
wasmtime_store_set_epoch_deadline(store, 1);

For Wasm3 and WAMR on microcontrollers, the equivalent is a native host callback imported by the module and called on every loop iteration — a yield point that the host can use to enforce time limits without per-instruction overhead.

Attestation for IoT WASM

A compromised device might load a modified module or bypass signature verification in software. Attestation gives the cloud management plane cryptographic evidence about which module is actually running on a specific device.

The attestation flow:

  1. The management plane sends a freshness nonce to the device.
  2. The device computes SHA-256 of the currently loaded WASM module binary.
  3. The device concatenates the device ID, module hash, firmware hash, and nonce.
  4. The device signs the concatenation with its device-unique private key (held in secure element or TPM).
  5. The device sends the signed report to the management plane.
  6. The management plane verifies the signature against the device’s certificate, checks the module hash against the expected hash for the device’s assigned update channel, and checks nonce freshness.

A device reporting an unexpected module hash is flagged for investigation and removed from the OTA distribution target list until it is physically inspected. This prevents a compromised device from receiving new WASM modules that it might subvert.

# Management plane: attestation verification (Python pseudocode).
def verify_attestation_report(report, device_cert, expected_module_hash):
    # Check nonce freshness (nonce must be less than 60s old).
    if time.time() - nonce_registry[report.nonce] > 60:
        return AttestationResult.STALE_NONCE

    # Verify signature using device certificate public key.
    device_pubkey = load_pubkey(device_cert)
    payload = f"{report.device_id}:{report.module_hash}:{report.firmware_hash}:{report.nonce}"
    if not ed25519_verify(device_pubkey, report.signature, payload.encode()):
        return AttestationResult.INVALID_SIGNATURE

    # Check module hash against expected value for this device's channel.
    if report.module_hash != expected_module_hash:
        quarantine_device(report.device_id, reason="unexpected_module")
        return AttestationResult.UNEXPECTED_MODULE

    return AttestationResult.OK

For devices without a TPM or hardware secure element, software-only attestation using a device-unique key derived from a hardware root (PUF — physically unclonable function, available on some microcontrollers) provides a weaker but non-trivial identity guarantee. Pure software attestation with a key stored in writable flash is not recommended — physical access can extract or replace the key.

Project Thinnk and RTOS Deployment

Project Thinnk is a research and early-production effort to run WASM modules on RTOS targets for automotive and industrial applications. The motivation is determinism: an RTOS (FreeRTOS, Zephyr, Azure RTOS) provides hard real-time task scheduling, and running WASM inside an RTOS task gives application logic a sandboxed execution environment within a deterministic scheduling model.

The integration shape is a dedicated RTOS task that owns the WASM runtime. Module updates are handled as a task notification: the OTA task writes the new WASM binary to flash, verifies the signature, sets a notification flag, and the WASM task restarts with the new module on the next scheduling cycle. No firmware reflash; no loss of RTOS task state.

// Zephyr RTOS: WASM runtime task.
K_THREAD_DEFINE(wasm_tid, WASM_STACK_SIZE,
                wasm_task, NULL, NULL, NULL,
                WASM_TASK_PRIORITY, 0, 0);

void wasm_task(void *a, void *b, void *c) {
    while (1) {
        // Wait for OTA notification or scheduled tick.
        uint32_t events = k_event_wait(&ota_events,
                                       EVT_MODULE_READY | EVT_TICK,
                                       false, K_FOREVER);

        if (events & EVT_MODULE_READY) {
            // New module available — verify and swap.
            if (verify_slot_signature(INACTIVE_SLOT) == VERIFY_OK) {
                swap_active_slot();
                reload_wasm_module();
            }
        }

        if (events & EVT_TICK) {
            run_wasm_sensor_tick();
        }
    }
}

The automotive and industrial value proposition is software-defined functionality: an ECU’s sensor processing logic can be updated in the field without reflashing the ECU firmware, the update can be scoped to one sandboxed WASM module, and the RTOS scheduler guarantees that the update swap does not interrupt safety-critical tasks running on adjacent cores.

WASM for Device Driver Extensions

A compelling use case beyond application logic is allowing third-party sensor integrations as sandboxed WASM plugins. A gateway device ships with a small set of built-in driver bindings (I2C temperature sensors, SPI accelerometers, Modbus RTU). A sensor vendor ships a WASM plugin that implements the driver for their proprietary sensor protocol.

The plugin imports a small, scoped host API:

// Sensor plugin in Rust, compiled to wasm32-unknown-unknown.
// Imports provided by the host: i2c_read and i2c_write only.
// No direct hardware access; no filesystem; no network.
extern "C" {
    fn i2c_read(addr: u8, reg: u8, buf: *mut u8, len: u32) -> i32;
    fn i2c_write(addr: u8, reg: u8, buf: *const u8, len: u32) -> i32;
}

#[no_mangle]
pub extern "C" fn read_temperature() -> f32 {
    let mut raw = [0u8; 2];
    unsafe {
        i2c_read(0x48, 0x00, raw.as_mut_ptr(), 2);
    }
    let raw_val = i16::from_be_bytes(raw);
    (raw_val as f32) * 0.0625
}

The host enforces that i2c_read and i2c_write can only address the I2C bus the sensor is attached to, and only the I2C address registered for that plugin at install time. A malicious or buggy sensor plugin cannot address other I2C peripherals, cannot read calibration data from a different sensor, and cannot issue writes to the display or motor controller.

Plugins are distributed as signed .wasm files through the same OTA channel as application logic modules. A device administrator can install, update, or remove a sensor plugin without reflashing firmware. Plugin signatures are verified against the sensor vendor’s signing certificate, which is pre-installed in the device’s trust store during commissioning.

Resource Constraint Summary

Device class RAM budget for WASM Recommended runtime Fuel/epoch limit
Cortex-M3/M4 MCU 32–128KB Wasm3 interpreter RTOS tick-based epoch
Cortex-A53 MPU 1–4MB WAMR (interpreter or AOT) 100ms epoch interrupt
ARM gateway 64MB+ wasmEdge or WAMR AOT 500ms epoch interrupt
x86 edge server Unrestricted wasmtime full features 1s epoch interrupt

Always set an explicit memory limit in the runtime host before the module begins execution. Never rely on the module’s declared memory section as the limit — a malicious module can request more than it declared if the runtime allows uncapped memory.grow.

Failure Modes and Mitigations

Failure Detection Mitigation
OTA server delivers unsigned module Signature verification fails pre-load Reject module, log server address, alert management plane
Module traps on startup Host trap counter; startup health check Immediate rollback to previous slot
Module enters infinite loop Epoch interrupt fires after timeout Module trapped; host increments trap counter
Flash write interrupted mid-update Module slot hash mismatch on boot Bootloader detects corrupt slot; activates previous slot
Signing key compromise Out-of-band detection Rotate fleet signing key; push signed key-rotation command to all devices
Attestation spoofing Nonce staleness; signature invalidity TPM/SE-backed signing; nonce expiry enforced server-side
Memory exhaustion by module RTOS heap starvation Pre-allocated pool for WASM runtime; explicit memoryLimit